On Thu, Feb 21, Birger Toedtmann wrote:
> > Most mailclients would then notice, that there is no inbox -because
> > imapd is now looking into "/var/imap/user/ uSer /" which currently
> > does not exist. Then they issue a "create inbox" command and voila, we
> > have a new directory called "/var/imap/user/ uSer /".
> >
> > So I wrote a small patch for the auth_canonifyid function, which
> > strips off leading and trailing whitespaces and lowers alpha chars.
> [...]
>
> With the whitespaces I'm not sure but I don't think one should enforce
> case insensitivety - instead one should instruct OpenLDAP to behave case
> sensitive.
Yes, that's what I also thought in the past.
In the OpenLDAP core schema, you can read:
# OpenLDAP Core schema
#
# Includes LDAPv3 schema items from:
# RFC2251-RFC2256 (LDAPv3)
#
# select standard track schema items:
# RFC2079 (URI)
# RFC1274 (uid/dc)
[...]
#
# Derived from RFC1274, but with new "short names"
#
attributetype ( 0.9.2342.19200300.100.1.1
NAME ( 'uid' 'userid' )
DESC 'RFC1274: user identifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
[...]
And in RFC 1274:
[...]
9.3.1. Userid
The Userid attribute type specifies a computer system login name.
userid ATTRIBUTE
WITH ATTRIBUTE-SYNTAX
caseIgnoreStringSyntax
(SIZE (1 .. ub-user-identifier))
::= {pilotAttributeType 1}
[...]
They all speak about caseinsensity.
Maybe we should include the openldap people into this discussion.
My original Mail:
------------------------------------------------------------------------
we noticed, that cyrus-imapd allows users to prepend or append
whitespaces to their uid like this:
. login " user " secret
cyrus-imapd hand's over this string as is to the underlying
authentication system. In case of pam with pam_ldap, this results in a
DN like this:
"uid= user ,dc=some,dc=dom"
which will then be normalized by OpenLDAP to
"uid=user,dc=some,dc=dom"
and will give a successfull authentication... :-(
Another point is, that the uid attribute is caseINsensitve as defined
in the core openldap schema, which makes things even harder:
. login " uSer " secret
would be the same as
. login " user " secret
for openldap in this case.
Most mailclients would then notice, that there is no inbox -because
imapd is now looking into "/var/imap/user/ uSer /" which currently
does not exist. Then they issue a "create inbox" command and voila, we
have a new directory called "/var/imap/user/ uSer /".
So I wrote a small patch for the auth_canonifyid function, which
strips off leading and trailing whitespaces and lowers alpha chars.
I am not exactly sure, if this is the right place to fix, but it
works.
------------------------------------------------------------------------
--
With best regards,
Carsten Hoeger
SuSE, The Linux Experts, http://www.suse.com
Key fingerprint = E3B6 7FDB 4800 0F22 DC09 EB2B 7988 B6A8 6691 C94A